1 00:00:06,970 --> 00:00:09,230 - When it comes to rogue access points 2 00:00:09,230 --> 00:00:12,460 what sort of methods can we employ to protect ourselves? 3 00:00:12,460 --> 00:00:13,930 Let's say we're on the enterprise side 4 00:00:13,930 --> 00:00:16,920 of things and we need to protect our enterprise network 5 00:00:16,920 --> 00:00:18,810 from rogue access points. 6 00:00:18,810 --> 00:00:20,620 It's not necessarily gonna be that person 7 00:00:20,620 --> 00:00:21,980 wearing the orange vest coming 8 00:00:21,980 --> 00:00:24,640 on site and installing a rogue access point. 9 00:00:24,640 --> 00:00:27,390 Internal employees can do this stuff as well. 10 00:00:27,390 --> 00:00:29,610 So what can you do to protect yourself? 11 00:00:29,610 --> 00:00:33,500 Proactively scan for access points that are connected 12 00:00:33,500 --> 00:00:36,470 to your network and or in your space. 13 00:00:36,470 --> 00:00:39,650 So broadcasting wireless or plugged in. 14 00:00:39,650 --> 00:00:42,690 Don't forget that walls don't always matter 15 00:00:42,690 --> 00:00:45,053 when it comes to wireless networks, 16 00:00:46,100 --> 00:00:46,933 you know, unless you 17 00:00:46,933 --> 00:00:49,440 have some radiation shielding, you know, you're 18 00:00:49,440 --> 00:00:51,980 in a Faraday cage in your office. 19 00:00:51,980 --> 00:00:52,813 There's a good chance 20 00:00:52,813 --> 00:00:54,620 your wireless network is accessible 21 00:00:54,620 --> 00:00:57,770 beyond the wall that you might think it is. 22 00:00:57,770 --> 00:00:59,490 If you're in a multi-story building, 23 00:00:59,490 --> 00:01:01,920 don't forget you could have a neighbor upstairs 24 00:01:01,920 --> 00:01:04,170 that has a different wireless network 25 00:01:04,170 --> 00:01:06,500 not necessarily plugged into your network, 26 00:01:06,500 --> 00:01:08,940 but it's an access point 27 00:01:08,940 --> 00:01:11,333 that is accessible from your space. 28 00:01:12,380 --> 00:01:14,410 And that's not a rogue by the way. 29 00:01:14,410 --> 00:01:16,410 Rogue is connected to your network. 30 00:01:16,410 --> 00:01:19,090 Check the CAM tables for OUIs 31 00:01:19,090 --> 00:01:22,800 that are associated with wifi access point vendors. 32 00:01:22,800 --> 00:01:26,800 We have this URL here, wireshark.org OUI lookup. 33 00:01:26,800 --> 00:01:27,640 You can go in there, 34 00:01:27,640 --> 00:01:29,100 take those first three bites 35 00:01:29,100 --> 00:01:30,470 drop it into this form 36 00:01:30,470 --> 00:01:34,410 and see who the maker of that particular product is. 37 00:01:34,410 --> 00:01:37,710 Enterprise solutions that do rogue detection capabilities. 38 00:01:37,710 --> 00:01:39,660 There are products on the market 39 00:01:39,660 --> 00:01:42,600 that will proactively look at CAM tables, 40 00:01:42,600 --> 00:01:47,450 compare it to OUI vendors or vendors associated. 41 00:01:47,450 --> 00:01:49,180 OUI is associated with vendors. 42 00:01:49,180 --> 00:01:51,940 And let you know that, you know, you have 43 00:01:51,940 --> 00:01:53,950 a rogue AP on your network. 44 00:01:53,950 --> 00:01:54,810 If you do find one, 45 00:01:54,810 --> 00:01:55,643 shut it down 46 00:01:56,640 --> 00:01:58,530 because you cannot enforce security 47 00:01:58,530 --> 00:02:01,000 on an access point that you do not control. 48 00:02:01,000 --> 00:02:04,100 And then finally consider the use of wireless intrusion 49 00:02:04,100 --> 00:02:05,963 detection and prevention. 50 00:02:07,150 --> 00:02:08,670 Some best practices for wireless. 51 00:02:08,670 --> 00:02:10,790 Change SSID from the default. 52 00:02:10,790 --> 00:02:13,970 And remember that SSIDs are not passwords. 53 00:02:13,970 --> 00:02:14,970 If you are using 54 00:02:14,970 --> 00:02:17,970 a SOHO type wireless access point, 55 00:02:17,970 --> 00:02:20,590 change the default username and password 56 00:02:20,590 --> 00:02:24,550 for that router administration interface. 57 00:02:24,550 --> 00:02:28,100 Remember that once I crack the pre-shared key 58 00:02:28,100 --> 00:02:29,790 and I can join your network. 59 00:02:29,790 --> 00:02:32,140 And then I surf to my default gateway 60 00:02:32,140 --> 00:02:34,750 if it's a SOHO type access point, 61 00:02:34,750 --> 00:02:36,050 I'm gonna know the vendor 62 00:02:36,050 --> 00:02:36,883 of that product, 63 00:02:36,883 --> 00:02:39,220 'cause it's gonna be prominently displayed 64 00:02:39,220 --> 00:02:41,780 on whatever that landing page is to log in 65 00:02:41,780 --> 00:02:43,430 to the administration portal. 66 00:02:43,430 --> 00:02:44,610 Once I know the vendor, 67 00:02:44,610 --> 00:02:47,180 I can go look up the default username and password. 68 00:02:47,180 --> 00:02:49,890 And if you haven't changed it, I can log in and actually 69 00:02:49,890 --> 00:02:51,473 kick you off your own network. 70 00:02:52,660 --> 00:02:55,560 And disable the broadcasting of SSIDs. 71 00:02:55,560 --> 00:02:57,330 It's a recommended best practice, 72 00:02:57,330 --> 00:02:59,190 however, it's not going to protect you 73 00:02:59,190 --> 00:03:03,140 from anything, that SSID can still be derived. 74 00:03:03,140 --> 00:03:05,470 And finally disable remote administration 75 00:03:05,470 --> 00:03:09,550 from the quote unquote land side of the, 76 00:03:09,550 --> 00:03:12,090 and this is again for Soho type devices, 77 00:03:12,090 --> 00:03:14,070 from the WAN side of the device. 78 00:03:14,070 --> 00:03:16,370 Whatever that upstream interface is, 79 00:03:16,370 --> 00:03:18,510 consider disabling administration 80 00:03:18,510 --> 00:03:20,570 on that particular interface. 81 00:03:20,570 --> 00:03:22,470 Filter MAC addresses 82 00:03:22,470 --> 00:03:24,490 if administratively feasible. 83 00:03:24,490 --> 00:03:26,450 I mentioned this in a previous lesson, 84 00:03:26,450 --> 00:03:29,490 actually doing static MACs on switchports 85 00:03:29,490 --> 00:03:32,070 in any scale of environment 86 00:03:32,070 --> 00:03:34,010 is administratively intense. 87 00:03:34,010 --> 00:03:36,400 Doing it at your house, easy to do, you know 88 00:03:36,400 --> 00:03:37,800 your devices and your network 89 00:03:37,800 --> 00:03:39,930 and it's, you know can be a little fun to say 90 00:03:39,930 --> 00:03:42,320 that, you know, you can't connect to my network. 91 00:03:42,320 --> 00:03:43,880 Regardless, doing this 92 00:03:43,880 --> 00:03:47,120 in a enterprise environment, very difficult to do. 93 00:03:47,120 --> 00:03:50,720 However, those switchport security features we talked about 94 00:03:50,720 --> 00:03:52,910 in previous lesson could be employed here. 95 00:03:52,910 --> 00:03:54,120 Wherein you allow 96 00:03:54,120 --> 00:03:56,280 and learn the first MAC address 97 00:03:56,280 --> 00:03:57,930 that connects, and then you don't allow it 98 00:03:57,930 --> 00:03:59,600 to learn new MAC addresses. 99 00:03:59,600 --> 00:04:01,790 When it comes to encryption 100 00:04:01,790 --> 00:04:05,830 on your wireless networks, use WPA3 or WPA2. 101 00:04:05,830 --> 00:04:08,870 If three is not available, disabled WEP entirely. 102 00:04:08,870 --> 00:04:11,980 Do not put identifying information in your SSID. 103 00:04:11,980 --> 00:04:14,700 It should be some random word that has nothing to do 104 00:04:14,700 --> 00:04:17,363 with your company or your company name. 105 00:04:18,410 --> 00:04:20,700 Use firewalls and intrusion detection devices. 106 00:04:20,700 --> 00:04:21,690 This is just, you know, 107 00:04:21,690 --> 00:04:24,680 classic perimeter edge security stuff. 108 00:04:24,680 --> 00:04:27,900 Consider using higher level encryption. 109 00:04:27,900 --> 00:04:29,930 So, once you've joined the network 110 00:04:29,930 --> 00:04:32,780 there is some level of encryption there, 111 00:04:32,780 --> 00:04:35,630 from your device to the access point. 112 00:04:35,630 --> 00:04:38,230 The data that's inside that connection, 113 00:04:38,230 --> 00:04:39,800 you could consider, you know 114 00:04:39,800 --> 00:04:43,530 transport layer, security, IPsec, et cetera, 115 00:04:43,530 --> 00:04:45,980 for encryption of the actual data 116 00:04:45,980 --> 00:04:48,010 within that wireless connection. 117 00:04:48,010 --> 00:04:51,330 Wireless IDs again, and intrusion prevention. 118 00:04:51,330 --> 00:04:53,440 There are two products we'll touch on here, 119 00:04:53,440 --> 00:04:56,210 one is from Cisco and one is from Aruba. 120 00:04:56,210 --> 00:04:59,020 So the vendors of enterprise access points 121 00:04:59,020 --> 00:05:02,780 also offer wireless intrusion prevention systems. 122 00:05:02,780 --> 00:05:06,843 Cisco's adaptive wIPS is one such example. 123 00:05:07,750 --> 00:05:12,750 And then Aruba has RFProtect Wireless Intrusion Protection, 124 00:05:12,830 --> 00:05:15,300 with various licensing options available to you. 125 00:05:15,300 --> 00:05:17,980 So these are enterprise access point vendors. 126 00:05:17,980 --> 00:05:20,160 Oftentimes with enterprise access points 127 00:05:20,160 --> 00:05:22,430 the inside wired interface 128 00:05:22,430 --> 00:05:25,360 of that access point is simply a bridge 129 00:05:25,360 --> 00:05:28,520 from the wireless network to the local area network. 130 00:05:28,520 --> 00:05:30,880 In some cases, the data will be tunneled back 131 00:05:30,880 --> 00:05:32,730 to a central point through something 132 00:05:32,730 --> 00:05:34,850 like LWAPP in the Cisco realm. 133 00:05:34,850 --> 00:05:37,910 And with these enterprise grade solutions 134 00:05:37,910 --> 00:05:39,160 they offer solutions such 135 00:05:39,160 --> 00:05:42,420 as this for wireless intrusion protection 136 00:05:42,420 --> 00:05:45,393 and or prevention and or detection.